Ongoing ‘LinkedIn Invitation’ themed campaign serving client-side exploits and malware

Posted on by

By Dancho Danchev

Remember the ‘LinkedIn Invitations’ themed malware campaign which I profiled in March, 2012?

A few hours, ago, the cybercriminals behind it launched another round of malicious emails to millions of end and corporate users.

More details:

Once the user clicks on the link (hxxp://hseclub.net/main.php?page=d72ac4be16dd8476), a client-side exploit, CVE-2010-1885 in particular, will attempt to drop the  following MD5 on the affected host, MD5: 66dfb48ddc624064d21d371507191ff0

Upon execution the sample attempts to connect to the following hosts:

  • janisjhnbdaklsjsad.ru:443 with user janisjhnbdaklsjsad.ru and password janisjhnbdaklsjsad.ru – 91.229.91.73, AS50939, SPACE-AS
  • sllflfjsnd784982ncbmvbjh434554b3.ru – 91.217.162.42, AS29568, COMTEL-AS
  • kamperazonsjdnjhffaaaae38.ru – 91.217.162.42, AS29568, COMTEL-AS
  • iiioioiiiiooii2iio1oi.ru – 91.217.162.42, AS29568, COMTEL-AS

Another malware with MD5: 4b1fce0f9a8abdcb7ac515d382c55013 is known to have used one of these C&C domains in the past, janisjhnbdaklsjsad.ru in particular.

Webroot SecureAnywhere users are protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

One thought on “Ongoing ‘LinkedIn Invitation’ themed campaign serving client-side exploits and malware

  1. Pingback: Ongoing spam campaign impersonates LinkedIn, serves exploits and malware « Webroot Threat Blog

Join the Conversation

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s